Main menu

Tor at the Heart: Security in-a-Box

This is one of a series of periodic blog posts where we highlight other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Please support the Tor Project! We're at the heart of Internet freedom.Donate today!

Security in-a-Box

More than ten years ago, Tactical Tech and Front Line Defenders started providing digital security trainings for human rights defenders at risk around the world. Soon thereafter, they created Security in-a-Box to supplement those trainings and to support self-learning and peer-education among those defenders.

Security in-a-Box offers general advice and practical walkthroughs designed to help its users secure their digital information and communication by choosing the right software and integrating it into their daily lives.

Hands-on guides

Security in-a-Box offers a number of Tool Guides that explain step-by-step how to download, install, and use digital security tools on Linux, Windows, Mac OS X, and Android. Some of these guides that were recently updated in 11 languages include:

Tips and Tactics

As digital security is a process that extends well beyond the adoption of specific tools, Security in-a-Box also offers Tactics Guides that propose new ways of thinking about security and recommend practices that might strengthen it. Some of these include:

Community

Over the years, a community of digital security trainers, editors, translators, and privacy advocates has sprung up around Security in-a-Box. Many digital security trainers from Africa, Latin America, Central and Southeast Asia, Europe and North America rely on Security in-a-Box for their trainings and contribute to its development.

Thanks to the project’s community translators, Security in-a-Box is published in 17 different languages. Recently updated translations include: Arabic, Spanish, Farsi, French, Indonesian, Portuguese, Russian, Thai, Turkish, Vietnamese and Chinese. As a result, Security in-a-Box reaches well over a million people each year with advice on digital security, online privacy and censorship circumvention.

None of this would have been possible without the work of the software developers who create these tools in the first place, and to whom we are extremely grateful. Donate to the Tor Project today!

Written by Maria Xynou (Tactical Tech) and Wojtek Bogusz (Front Line Defenders)

Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers. Still now everyone knows that what we long feared is true: FBI agents do not need to seek any warrants or to ever tell any judge if they want to target anyone who they believe is "engaged in the development of communications security practices":

> According to the guide, an online counterterrorism investigation can target websites or online networks that the FBI believes terrorists are using “to encourage and recruit members” or to spread propaganda. Such probes may extend to the administrators or creators of those forums, as well as people engaged in “the development of communications security practices” or “acting as ‘virtual couriers’ for terrorist organizations by passing online messages among members or leadership.”

Individual FBI agents are given very wide latitude in how to interpret these manuals, so some of them probably consider that anyone operating a Tor node is "acting as a virtual courier".

> Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers.
mismatch : it is coming from an ancient law (uk usage) : 'legitimate suspicion' still applied since several centuries ; nothing to do with terrorism or FBI or internet, (it is only used against genuine people usually so the "trump ban" is not involved.).
In fact this law is became a standard in the rogue state and where mafioso / military force became the "legitimate government" _ nothing to do with usa (e.u & arab & east countries are a better example) ...

pidgin is recommended but who has 100 correspondents & could say : it is safe & no one know whom and why & where i use it ?
* i tried it several time for communicating with few 'unknown' friends but i was not a target.

"Other Tool Guides cover setting up a Riseup email account,"
Not a good idea. Riseup may have been compromised.
Even if users use pgp, admins of a email server can know, who is talking to who, and all contacts in address book. What time user online.

From article:
""Due to Thanksgiving and other deadlines, our lawyers were not available to advise us on what we can and cannot say," the collective member told me. "So in the interest of adopting a precautionary principle, we couldn’t say anything. Now that we have talked to [counsel], we can clearly say that since our beginning, and as of this writing, riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.""

"And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly."

> There is an excellent freeware anti-virus program for Windows called Avast, which is easy to use, regularly updated and well-respected by anti-virus experts. It requires that you register once every 14 months, but registration, updates and the program itself are all free-of-charge.

I'm not an employee of Tor Project, just a user, but I'll take a stab at this:

> Why there's some usa and UK ip-ranges in tor circuits?

The Tor network relies upon volunteers who provide Tor nodes at their own expense. Many of them live in the US/UK, and cheap rates are often available for servers in the US/UK. Further Tor is not yet outright illegal in the US/UK (although that might soon change). Hence it is not surprising that many Tor nodes are in the US/UK.

The country which hosts the most Tor nodes is currently FR, by the way. Because that nation has enacted a law which appears to mandate backdoors in "mobile devices", I am not sure how legal it is to operate a Tor node in FR, but I assume it must still be legal, if only just barely so.

> As far as I know the whole usa and UK is under control of NSA.

That's quite a leap. It would be more true to say that NSA maintains an illicit presence in many, even most, IXs, national backbones, commercial telecoms/ISP networks, banking networks, around the world, for the purpose of cyberespionage/cyberwar. As such NSA is virtually a "global adversary", of the kind which, in past years, Tor traditionally did not attempt to defend against.

However, many ordinary people, NGOs, and even government officials in the US/UK oppose the rapid growth and "normalization" of the technostasi in these formerly democratic nations, and NSA (and allied actors) cannot easily deter them all from speaking out.

Ideally, there would exist many "safe haven" nations which encourage people to run Tor nodes without interferrence, and if that were true, it would indeed make sense to try to encourage volunteers to set up nodes in such nations. But alas, it is not true--- as all the "Western" governments appear to be turning in unison to abandon the ideals of the Enlightenment in order to adopt a peculiarly vicious new form of technologically enabled fascism, there are perhaps no "safe havens" left.

That is why every citizen of every nation has a duty to resist government oppression, even though this puts them at severe risk of retaliation: if adults don't resist today, life in a police state will become unbearable for our children by the time they become adults, if indeed they do not become victims of the genocides for which figures like Trump are plainly preparing the way.

> So where is the logic of using tor browser that is controlled by NSA?

Again, quite a leap. NSA's illicit presence in numerous networks implies that it can "easily" collect packets as they (i) pass between a user and an ISP gateway to a Tor entry guard (ii) pass from an entry guard to a Tor relay node (iii) pass from a Tor relay node to a Tor exit node (iv) pass from a Tor exit node to a destination server. However, because tor circuits are strongly encrypted as per the basic idea of the "onion" design, NSA may not be able to easily read the underlying plaintext.

It is true that NSA has poured enormous resources into illegally accessing all manner of electronic devices, no doubt including Tor nodes, all over the world, and is also suspected of itself operating some nodes for illicit purposes, but this makes them a criminal adversary of the Tor network, not a "controller" of the Tor network.

And while NSA's power and resources are indeed frightful, the agency is struggling under complex problems which tends to reduce or even undermine its real-world capabilities.

It would be better to think of it like this: NSA is a deadly enemy, in fact the enemy of the entire world (even the US), but Tor is a powerful force for good which is helping to prevent them from too easily grabbing everything they want "because they can".

> https://boingboing.net/2017/02/15/title-italy-unveils-a-law-pro.html
bullshit !
Nothing to with terrorism or maffia ; they do not need a trojan !
In fact since dalla chiesa period , their methods are well known and never did or do attack the civil rights !
uk or us laws are not italians laws : misinformation & fake news are polluting the web.
The article (follow the italian link above pls) is about police force and judges who are working on the side of the organized crime and are afraid to be behind the bars : they are legalizing illegal methods - (romania tried to do the same about corruption few days ago).

I don't know if the developers will read this I not going out of my way to inform them using other methods of communication than this, means no email or otherwise etc. Simple things like that there should be easy to access feedback that doesn't need a sign-up or sign-in etc. If you know how to contact them tell them of this feedback. I post here instead.

First impression with Tor v6.5 FUGLY well that is firefox fault they lost the plot years ago when they wanted everything mobile like YUK. Anyway at least it is not google or its clones or should that be opera and its clones. Nor thankfully is it IE.

Big FUG is the wasted space at the top of the browser stealing desktop space so less screen to read web pages. Firefox there's no need for this whatsoever, go back to v2 and take another look that browser was far better than is now. That FuckFox out of the way now on with Tor.

The older tor could easy let me choose any country from a panel list. With this version needs to keep pressing new circuit. Yes sure exit nodes and all that crap what do I care for the setting they should be available in the browser Tor settings since no one or the many will never use them including myself.

Suggest have again the old panels that used to be so able to adjust country instead of cycling new circuit with a hope of getting the country correct. This is poor foresight and lack of thought. Or how about have a drop list on new circuit where we can pick the country we need as an IP.

These are the major first gripes I guess I hate this Tor and the old one is far superior and far simpler to understand.

And what does it mean for min security slider no security but has NoScript unknown and not going to look for that either. That should be on the security slider details as is with the other two settings. Again poor lack of forethought, foresight and planning. And how many people are involved with Tor surely someone must have suggested these things to make using tor easy and more enjoyable.

At least it starts quicker than the old Tor but I would expect that with amount of time in between the versions.

Someone inform the Tor developers so they can come and read copy and inform other developers. And rightly so then delete this once they have the information.

Why is there no way to chat live with tor or not to Tor this is what would be expected. Or at least a feedback panel like this here. But then maybe Tor are thinking to many people would write to complain and rightly so.

Anyway thanks for keeping Tor going it has gone backwards dumbed down. The old version a young 4 year old could easily use it, I guess with this version it would be less so.

Don't shoot the messenger I am trying to help Tor to be better than it is now using this feedback.

I think it's terribly important that Tor Project to everything it can to encourage more people to use Tor. At times this might lead to minor (or even major) design decisions which seem repugnant to we long-time users (or even a bit scary, e.g. the lowballed default settings in the security slider). It probably helps to bear in mind that every design decision involves tradeoffs. In the case of Tor, the most difficult and hardest to avoid include tradeoffs between usability/security, security/anonymity, simplicity/complexity (maybe just a different way of restating the usability/security issue), boldness/risk-aversiveness. Not only Tor coders but Tor users must continually make this kind of tradeoff.

yeh, I agree with you about mobile like fugly UI, plus it glitching and slower than the previous versions but with all the advanced options that you need without necessarily getting into the about:config.

They shall left the previous (windows 95 like or win2k, whatever) UI for ppl to decide what better to use.

Everything is terribly conspirative these days and fugly simplified, that's the point.

Recent Updates

Hi! There's a new alpha release available for download. If you build Tor from source, you can download the source code for 0.3.3.2-alpha from the usual place on the website. Packages should be available over the coming weeks, with a new alpha Tor Browser release some time in February.

Remember, this is an alpha release: you should only run this if you'd like to find and report more bugs than usual.

Tor 0.3.3.2-alpha is the second alpha in the 0.3.3.x series. It introduces a mechanism to handle the high loads that many relay operators have been reporting recently. It also fixes several bugs in older releases. If this new code proves reliable, we plan to backport it to older supported release series.

Changes in version 0.3.3.2-alpha - 2018-02-10

Major features (denial-of-service mitigation):

Give relays some defenses against the recent network overload. We start with three defenses (default parameters in parentheses). First: if a single client address makes too many concurrent connections (>100), hang up on further connections. Second: if a single client address makes circuits too quickly (more than 3 per second, with an allowed burst of 90) while also having too many connections open (3), refuse new create cells for the next while (1-2 hours). Third: if a client asks to establish a rendezvous point to you directly, ignore the request. These defenses can be manually controlled by new torrc options, but relays will also take guidance from consensus parameters, so there's no need to configure anything manually. Implements ticket 24902.

Major bugfixes (netflow padding):

Stop adding unneeded channel padding right after we finish flushing to a connection that has been trying to flush for many seconds. Instead, treat all partial or complete flushes as activity on the channel, which will defer the time until we need to add padding. This fix should resolve confusing and scary log messages like "Channel padding timeout scheduled 221453ms in the past." Fixes bug 22212; bugfix on 0.3.1.1-alpha.